Quantum Dawn Cyber Exercise Simulates a “Doomsday” Global Ransomware Attack

The biennial Quantum Dawn cyber exercise brings the financial industry together for a sort of “war game” that simulates a major financial institution being taken out by a malware attack. The scenario has typically focused on the United States banking industry, but the 2019 edition was the first to include participants from Asia and Europe.

This year’s event imagined what would happen if a “too big to fail” financial institution was rendered inoperable by a targeted ransomware attack.

A relevant cyber exercise

These simulations are interesting to those outside of the industry as they generally represent what bankers, financiers and regulators feel is the biggest contemporary threat to their industry.

The first Quantum Dawn, held in 2011 and perhaps inspired by the then-recent beginning of the Occupy movement, visualized an armed takeover of the New York Stock Exchange paired with a cyber attack on trading platforms. More recent simulations such as Quantum Dawn IV have focused on an unpredictable barrage of digital attacks, ranging from malware to distributed denial of service (DDoS) campaigns and even large-scale coordinated fraud. Participants do not know what the simulated scenario is going to be until it is underway.

The 2019 edition, the fifth such cyber exercise, was the first to simulate a global attack on the financial services industry. The scenario saw a major institution in the United States hit by ransomware after trading closed, which then spread to banks in the United Kingdom and throughout Asia before returning to the US to hit one of the financial market utilities responsible for payments and settling of accounts.

The cyber exercise is organized by the Securities Industry and Financial Markets Association (SIFMA) and includes over 800 decision-makers from major banks, financial firms and regulatory bodies. While the first Quantum Dawn events took place at an in-person meeting, the most recent event brought the international players together through a conference call.

As the imaginary ransomware spread, representatives from each institution and regulatory body were asked to describe what they would do in response and how they would coordinate with other organizations. These exercises also usually feature “hands on keyboard” tests for incident response personnel, but SIFMA has not released any details about such tests from this year’s activity as of yet.

These exercises stress communication between participants rather than coming up with perfect responses to each attack. Each cyber exercise usually concludes with an information sharing session in which participants compare their strategies and pass along notes to their incident response personnel.

“No single actor – not the Federal (National) government, nor any individual firm – has the resources to protect markets from cyber-threats on their own” said SIFMA CEO Kenneth E Bentsen, Jr., in an announcement similar to the one that was released after the previous Quantum Dawn.

The importance of cybersecurity readiness in the financial sector

Financial institutions are a natural high-value target for hackers. A 2018 study from ITSP Magazine found that financial service businesses are 300 times more likely to be targeted by a cyber attack than any other type of business, and that successful attacks cost financial firms $6 million more to clean up than other industries.

Wall Street is essentially the perfect target for ransomware attackers – these organizations almost exclusively deal in sensitive and confidential customer information, extended downtime is extremely expensive for them, and they usually have significant cash-on-hand. The ransom amount often seems like a relative bargain as compared to the full range of cyber incident remediation costs.

Financial services firms in America are attacked about one billion times each year, according to the ITSP study.

The focus on ransomware in this year’s cyber exercise is interesting. This is most likely tied to an overall surge in ransomware across all industries, with cyber ransom attempts up 77% in the first half of 2019. Ransomware is not necessarily the most lucrative attack type for a hacker targeting a financial firm; using phishing to gain surreptitious access to the network would likely provide a greater potential yield. But ransomware is also a much easier and lower-risk attack type for criminals, and is also highly successful in gathering payments when it catches organizations without proper backup systems in place.

Though ransomware is a growing concern, the Verizon 2019 Data Breach Investigations Report found that it is still less frequent than attacks perpetrated by insiders and network breaches attributed to malware (particularly business email compromise schemes). 67% of financial institutions surveyed reported an increase in cyber attacks in 2019, and 79% of industry CISOs believed that attackers were becoming more sophisticated.

How Quantum Dawn improves financial industry cybersecurity

In partnership with Protiviti Consulting, SIFMA publishes a public after-action report that analyzes the cyber exercise and provides recommendations for the financial services sector. In previous years, this report has been made available to the public in June of the year following the event.

In the interim, SIFMA is actively working with member firms on a number of cybersecurity initiatives. These include efforts to standardize regulations, ongoing industry testing to improve preparedness and recovery, and updating of industry best practices based on data gathered during the cyber exercise. A post-exercise SIFMA statement stressed ” … the importance of a robust partnership between the industry and government grounded in information sharing.”

Ransomware generally begins with malware and phishing, the same avenues by which most other cyber attacks penetrate business networks. Proper employee training and security measures are the only answer, but unlike other attack types the only recovery option once ransomware hits is to have a robust and regular backup system in place.